Hi Guys,
I hope can help me find a solution for the issue that I am having while using Fortigate email two-factor authentication in a IPSEC VPN.
The problem is when a user clicks on connect in Forticlient the PC loses internet connectivity and FortClient stays waiting for the email code that was sent to the user email address, but the user can access their email because they are without internet connectivity on the PC.
I am using slipt tunnelling, this does not make sense, because they need the token to connect to VPN but they don't have internet connectivity until they log into the VPN.
Testing the access getting the token using my mobile phone, the VPN connection works how it should, and it does not redirect the default gateway to the VPN, only the slipt tunnelling routes are added to the PC.
I hope someone can help with this inconvenient problem.
Thanks for your help.
That did it. I was able to export the config just using the settings page in FortiClient then edit the file and import.
It looks like until authentication is complete and it can pull routes from the Fortigate it uses that field to determine which traffic to route over the VPN tunnel. 0.0.0.0 would be all traffic.
Thank you for the solution.
https://docs.fortinet.com/document/forticlient/6.4.2/xml-reference-guide/96295/ike-settings
<implied_SPDO>1</implied_SPDO> <implied_SPDO_timeout>60</implied_SPDO_timeout>
implied_SPDO - When this setting is 0, FortiClient only allows traffic from ports 500 and 4500. When this setting is 1, FortiClient allows other traffic during the connection phase, including Internet traffic. It is important to change implied_SPDO_timeout value to >0.
This is the correct solution for losing internet connectivity while waiting for email with token.
Hi there.
I'm facing the same issue with FCT 6.4.2 and even after following Fortinet TAC's suggestion to use the SPDO setting (I set the timeout to 5 seconds), it won't work.
This is the reference documentation for FCT 6.4.5 --> https://docs.fortinet.com...ide/96295/ike-settings
I'm still working on this with TAC, but in the meantime:
- what exactly does SPDO stand for?
- why is it a security concern to allow non-IKE traffic when establishing an IPsec tunnel?
TIA,
Flavio.
Hi guys!! we are doing this procedure and it works smoothly. The problem is that customer came with a request to use vpn over android phones. It seems that there is no config file on android os. Is there anyone who did email 2fa vpn over android os? How did you do it?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.